Hi,

On Thu, 26 Jun 2003, Kai Schaetzl wrote:

> Tony Earnshaw wrote on Thu, 26 Jun 2003 15:34:17 +0200:
>
> > I, and many other (increasingly many other) mailadmins refuse on invalid
> > HELO/EHLO credentials. Many can not afford to, many see this as a main
> > weapon against non-ham.
>
> Well, what do you exactly do to refuse them? Do a reverse lookup and see if
> it matches? Isn't that quite rigid and will also reject legitimate mail in
> maybe 10% of all instances?

HELO/EHLO credentials don't have to match an existing host name but they
do have to be formatted properly (i.e. FQDN) I reject on broken HELO
format with Postfix using:

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks,
hash:$config_directory/moron_bypass, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_unknown_hostname,
hash:$config_directory/ffd_source, permit

reject_invalid_hostname drops connections with broken hostname syntax

reject_non_fqdn_hostname rejects connections with HELO not formed as a
FQDN

reject_unknown_hostname drops connections from machines without DNS A or
MX record (twitchy)

hash:$config_directory/ffd_source ostensibly does some sanity checks on
mail purporting to come from freemail services (a hack I picked up on
SPAM-L)

and hash:$config_directory/moron_bypass allegedly whitelists
connections from borked-but-borked servers. I'm not sure if it works.

I wouldn't recommend some of these options for most installations. I get
FPs, especially because of reject_unknown_hostname, causing me to
temporarily lift that restriction every week or so (I suspect
moron_bypass is not working...) FPs are nowhere near
10% (much, much less) and this blocks a fair chunk of spam. YMMV.

hth,

-- Bob



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to